What's new in Fedora 18

by Thorsten Leemhuis

The Linux distribution now offers Secure Boot support and uses a thoroughly revised installer. Among the included program packages are GNOME, KDE SC and Xfce as well as Cinnamon and MATE.

More than two months later than originally scheduled, the Fedora project has released the Fedora 18 Linux distribution. The main reason for this long delay, unusual even for Fedora standards, was major installer revisions. Named "Spherical Cow", the distribution also offers Secure Boot support, new techniques for performing system updates and technologies for activating graphics chips at runtime.

Secured

With the new version, Fedora has joined the handful of Linux distributions that support UEFI Secure Boot. To provide this functionality, Fedora uses bootloaders that have been signed with Microsoft certificates and allow a typical Windows 8 PC to boot the distribution without any problems.

However, Fedora takes the implementation one step further than distributions such as Ubuntu 12.10, because Canonical only signs the bootloaders, not the kernel. This type of Secure Boot support doesn't create any discernible restrictions for users during normal operation; however, it still allows malware that becomes active before the operating system is started to be injected into Ubuntu – which is precisely what Secure Boot is designed to prevent.

In Fedora 18, the Microsoft-signed bootloaders only load kernels with a signature that is trusted – at present, this only includes the kernels that have been signed by the Fedora project. These, in turn, only load modules with a trusted signature, which are only those that are part of a Fedora kernel.

This approach makes injecting malware considerably more difficult, but it also complicates users' everyday life. It's not possible to simply load kernel modules from other sources, even those that are required by proprietary AMD or NVIDIA graphics drivers, unless the user signs the drivers and adds the signing key to the key database. Otherwise, the easiest way to use such kernel drivers is to disable Secure Boot in the firmware's setup options. The same is necessary before using systemtap or kprobes to trace the kernel's activities; kexec/kdump and suspend to disk (hibernate) also require Secure Boot to be disabled, as explained in the Fedora project's UEFI Secure Boot Guide.

Disabling the technology is also the easiest solution when booting a custom kernel. Alternatively, such a kernel can be signed with custom signatures and the system notified of their trustworthiness; Fedora kernel developer Josh Boyer explains the details on his blog.

Installer

In the new version, Fedora's Anaconda installer has undergone a major revision and acquired a new look. The installer's appearance is now significantly more modern. In theory, installation will also be faster because all the user needs to do is enter a destination; Anaconda only requests parameters that are required for operation, such as the root password, when initialising the storage devices. Other settings – such as the time zone and keyboard layout – are optional and no longer need to be tediously asked for one by one, as was the case in previous versions of Fedora.

The Fedora project hasn't managed to implement all the changes that were scheduled for this revision. One of the resulting consequences is that the feature for adding other package repositories during installation was lost; it is due to return in version 19. The installer also has more known issues than those of previous Fedora versions, for example one that affects the selection of the keyboard layout. Some of the revised features have complicated the installer, and users might, for instance, regard the interface for creating manual partitions as a confusing step backwards.

Kernel

The distribution's kernel is Linux 3.6; however, the Fedora developers have already released an updated kernel that is based on the current Linux 3.7 kernel for Fedora 18; a similar update is soon also due for Fedora 17 systems.

Several of the components mentioned above and various other changes in Fedora allow version 18 to support the experimental "Prime" infrastructure that is designed to improve the activation of graphics chips at runtime. This includes, for example, DisplayLink monitors that are connected via USB and NVIDIA's Optimus technology; Optimus can mainly be found in notebooks and allows users to enable a GeForce graphics chip. In tests, however, the distribution failed to enable a DisplayLink adapter. Bumblebee, a component that is currently not included in Fedora, would have been a far more interesting way of providing Optimus support because it gives access to NVIDIA's proprietary graphics drivers; these drivers don't currently support Prime but tickle a far superior 3D performance out of GeForce chips than Fedora's Prime-compatible open source drivers.